Back to overview

WAGO: Vulnerabilities in Device Sphere and Solution Builder

VDE-2025-087
Last update
09/24/2025 11:00
Published at
09/24/2025 11:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2025-087
CSAF Document
Download

Summary

Due to a missing authentication check, the WAGO Solution Builder and the WAGO Device Sphere are vulnerable to a potential information exposure.

Impact

Exposing database credentials gives attackers direct database access, leading to data loss, theft or manipulation. Exposing user accounts and roles facilitates targeted attacks like brute-force or social engineering, increasing the risk of compromising privileged accounts.

Affected Product(s)

Model no. Product name Affected versions
WAGO Software Device Sphere <1.1.0 WAGO Software Device Sphere <1.1.0
WAGO Software Solution Builder <2.3.3 WAGO Software Solution Builder <2.3.3

Vulnerabilities

Expand / Collapse all

Published
10/02/2025 10:31
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary

The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it.

References
cve.org | nvd.nist.gov

Published
10/02/2025 10:31
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Missing Authentication for Critical Function (CWE-306)
References
cve.org | nvd.nist.gov

Remediation

Please upgrade to the specified version or a later one of the WAGO Device Sphere or the WAGO Solution Builder.

Affected Product Fixed Version
WAGO Software Device Sphere 1.1.0
WAGO Software Solution Builder 2.3.3

Acknowledgments

WAGO GmbH & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 09/24/2025 11:00 Initial Release.